Unknown bootloader CRC - 0x92EA834D #75
Description
Device is smart socket for UK plug from aliexpress sold as matter.
Model name on body: XH-MW3PJ
Big board is called XH-TW1P (six chinese symbols here) 16A_V2.0
Chip board is called XH-CB2S 0425, chip is marked as BK7231M also CEN is written as CEИ. Definitely CB2S.
Edit: seems to be same CB2S piece https://www.elektroda.com/rtvforum/topic4086986.html
Dump seems successful, CH341a PRO failed at it, Raspberry Pico succeeded using https://github.com/Noltari/pico-uart-bridge , tapped CEN to GND few times.
bk7231n_output.bin.zip
Based on dump appears to be calling home at mqtts://iot-south.quectelcn.com:8886
BK7231n_1.0.10 has a lot of debug symbols
Manual says install wonderfree from app store, google store to get electricity usage
On the other side there is P21 CSN which is defined by https://developer.tuya.com/en/docs/Document/cb2s-module-datasheet?id=Kamwxuk0z7j9x Also P1 for RX2 UART and there is also unmarked pin with radius of exposed ground around it, I suspect it is P0 for TX2 UART. I seem to cannot imitate 5 seconds reset button for stock fw intended pairing..
As for target, honestly I'm not sure what I should attempt to flash, I thought custom firmwares will support BLE but they do not.. Latency is a priority: I do have USB ESP32 devkit, it would be nice if I could bridge BK7231N -802.11> ESP32 -> USB or BK7231N -802.11> ESP32 -BLE> some BLE device.
Edit: tried ltchiptool flash write OpenBK7231M_ALT_QIO_1.18.197.bin -f bk7231n -s 0x11000 and
ltchiptool flash write OpenBK7231M_QIO_1.18.195.bin -f bk7231n -s 0x11000 Both do not put up AP..